/*
|
* Copyright (c) 2018-2028, Chill Zhuang All rights reserved.
|
*
|
* Redistribution and use in source and binary forms, with or without
|
* modification, are permitted provided that the following conditions are met:
|
*
|
* Redistributions of source code must retain the above copyright notice,
|
* this list of conditions and the following disclaimer.
|
* Redistributions in binary form must reproduce the above copyright
|
* notice, this list of conditions and the following disclaimer in the
|
* documentation and/or other materials provided with the distribution.
|
* Neither the name of the dreamlu.net developer nor the names of its
|
* contributors may be used to endorse or promote products derived from
|
* this software without specific prior written permission.
|
* Author: Chill 庄骞 (smallchill@163.com)
|
*/
|
package com.vci.ubcs.auth.service;
|
|
import com.alibaba.nacos.common.utils.StringUtils;
|
import com.vci.ubcs.auth.constant.AuthConstant;
|
import com.vci.ubcs.auth.utils.TokenUtil;
|
import com.vci.ubcs.system.user.entity.User;
|
import com.vci.ubcs.system.user.entity.UserInfo;
|
import com.vci.ubcs.system.user.enums.UserEnum;
|
import com.vci.ubcs.system.user.feign.IUserClient;
|
import io.jsonwebtoken.Claims;
|
import lombok.RequiredArgsConstructor;
|
import lombok.SneakyThrows;
|
import me.zhyd.oauth.log.Log;
|
import com.vci.ubcs.common.cache.CacheNames;
|
import org.springblade.core.jwt.JwtUtil;
|
import org.springblade.core.jwt.props.JwtProperties;
|
import org.springblade.core.redis.cache.BladeRedis;
|
import org.springblade.core.tool.api.R;
|
import org.springblade.core.tool.support.Kv;
|
import org.springblade.core.tool.utils.*;
|
import com.vci.ubcs.system.cache.ParamCache;
|
import com.vci.ubcs.system.entity.Strategy;
|
import com.vci.ubcs.system.entity.Tenant;
|
import com.vci.ubcs.system.feign.ISysClient;
|
import org.springframework.beans.factory.annotation.Value;
|
import org.springframework.security.core.GrantedAuthority;
|
import org.springframework.security.core.authority.AuthorityUtils;
|
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
import org.springframework.security.core.userdetails.UserDetailsService;
|
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
import org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException;
|
import org.springframework.stereotype.Service;
|
|
import javax.servlet.http.HttpServletRequest;
|
import java.time.Duration;
|
import java.util.ArrayList;
|
import java.util.List;
|
|
/**
|
* 用户信息
|
*
|
* @author Chill
|
*/
|
@Service
|
@RequiredArgsConstructor
|
public class BladeUserDetailsServiceImpl implements UserDetailsService {
|
|
/**
|
* 允许错误次数
|
*/
|
//public static final Integer FAIL_COUNT = 5;
|
public static final String FAIL_COUNT_VALUE = "account.failCount";
|
|
/**
|
* user服务调用类
|
*/
|
private final IUserClient userClient;
|
|
private final ISysClient sysClient;
|
|
private final BladeRedis bladeRedis;
|
|
private final JwtProperties jwtProperties;
|
|
|
/**
|
* 超级管理员信息
|
*/
|
@Value("${user-info.tenant-id}")
|
private String tenantId;
|
@Value("${user-info.user-name}")
|
private String userName;
|
@Value("${user-info.passwrod}")
|
private String password;
|
@Value("${user-info.id}")
|
private String id;
|
@Value("${ip-whitelist.ip-enable}")
|
private Boolean ipEnable;
|
@Value("#{'${ip-whitelist.ip}'.split(',')}")
|
private List<String> ips;
|
|
@Override
|
@SneakyThrows
|
public BladeUserDetails loadUserByUsername(String username) {
|
HttpServletRequest request = WebUtil.getRequest();
|
// 获取用户绑定ID
|
String headerDept = request.getHeader(TokenUtil.DEPT_HEADER_KEY);
|
String headerRole = request.getHeader(TokenUtil.ROLE_HEADER_KEY);
|
// 获取租户ID
|
String headerTenant = request.getHeader(TokenUtil.TENANT_HEADER_KEY);
|
String paramTenant = request.getParameter(TokenUtil.TENANT_PARAM_KEY);
|
String password = request.getParameter(TokenUtil.PASSWORD_KEY);
|
String grantType = request.getParameter(TokenUtil.GRANT_TYPE_KEY);
|
// 判断租户请求头
|
if (StringUtil.isAllBlank(headerTenant, paramTenant)) {
|
throw new UserDeniedAuthorizationException(TokenUtil.TENANT_NOT_FOUND);
|
}
|
// 判断令牌合法性
|
if (!judgeRefreshToken(grantType, request)) {
|
throw new UserDeniedAuthorizationException(TokenUtil.TOKEN_NOT_PERMISSION);
|
}
|
|
// 指定租户ID
|
String tenantId = StringUtils.isBlank(headerTenant) ? paramTenant : headerTenant;
|
|
Log.debug("当前登录用户的租户Id为:"+tenantId+"当前登录用户名为:"+username);
|
Strategy strategy = sysClient.getByTenantIdAndName(tenantId, username).getData();
|
|
// 判断登录是否锁定
|
int count = getFailCount(tenantId, username);
|
//为防止取值为空报错的情况,当为空的时候给默认只为5次便锁定用户登录,但是一般很难出现这种情况,因为我feign里面是给了默认密码策略查询的
|
int failCountValue = Func.isEmpty(strategy) ? 5:Func.toInt(strategy.getLockingNum());
|
|
int failCount = Func.toInt(ParamCache.getValue(FAIL_COUNT_VALUE), failCountValue);
|
|
if (count >= failCount) {
|
throw new UserDeniedAuthorizationException(TokenUtil.USER_HAS_TOO_MANY_FAILS);
|
}
|
//超级管理员配置文件配置账号密码,实现登录, 默认租户id为000000
|
if(tenantId.equals(this.tenantId)){
|
if (!this.userName.equals(username) && !password.equalsIgnoreCase(this.password)) {
|
setFailCount(tenantId, username, count,strategy.getLockingTime());
|
throw new UsernameNotFoundException(TokenUtil.USER_NOT_FOUND);
|
}
|
//如果ip比对后get抛出异常No value present就直接抛异常结束登录
|
if(ipEnable){
|
Log.debug("当前访问IP:"+getIpAddress(request));
|
try {
|
ips.stream().filter(s -> s.equals(getIpAddress(request))).findFirst().get();
|
} catch (Exception e){
|
throw new UserDeniedAuthorizationException(TokenUtil.IP_NOT_FOND);
|
}
|
}
|
|
ArrayList<GrantedAuthority> authorities = new ArrayList<>();
|
authorities.add(new SimpleGrantedAuthority("administrator"));
|
// 成功则清除登录错误次数
|
delFailCount(tenantId, username);
|
Kv kv = Kv.create();
|
kv.set("type","web");
|
return new BladeUserDetails(
|
new Long(this.id),this.tenantId, StringPool.EMPTY, "超级管理员", "超级管理员",this.id, this.id,"1123598816738675201",
|
"administrator","https://gw.alipayobjects.com/zos/rmsportal/BiazfanxmamNRoxxVxka.png" ,this.userName, AuthConstant.ENCRYPT + this.password, kv,
|
true, true, true, true,authorities
|
);
|
}else {
|
R<Tenant> tenant = sysClient.getTenant(tenantId);
|
|
if (tenant.isSuccess()) {
|
if (TokenUtil.judgeTenant(tenant.getData())) {
|
throw new UserDeniedAuthorizationException(TokenUtil.USER_HAS_NO_TENANT_PERMISSION);
|
}
|
} else {
|
throw new UserDeniedAuthorizationException(TokenUtil.USER_HAS_NO_TENANT);
|
}
|
|
// 获取用户类型
|
String userType = Func.toStr(request.getHeader(TokenUtil.USER_TYPE_HEADER_KEY), TokenUtil.DEFAULT_USER_TYPE);
|
|
// 远程调用返回数据
|
R<UserInfo> result;
|
// 根据不同用户类型调用对应的接口返回数据,用户可自行拓展
|
if (userType.equals(UserEnum.WEB.getName())) {
|
result = userClient.userInfo(tenantId, username, UserEnum.WEB.getName());
|
} else if (userType.equals(UserEnum.APP.getName())) {
|
result = userClient.userInfo(tenantId, username, UserEnum.APP.getName());
|
} else {
|
result = userClient.userInfo(tenantId, username, UserEnum.OTHER.getName());
|
}
|
|
// 判断返回信息
|
if (result.isSuccess()) {
|
UserInfo userInfo = result.getData();
|
User user = userInfo.getUser();
|
// 用户不存在,但提示用户名与密码错误并锁定账号
|
if (user == null || user.getId() == null) {
|
setFailCount(tenantId, username, count,strategy.getLockingTime());
|
throw new UsernameNotFoundException(TokenUtil.USER_NOT_FOUND);
|
}
|
String hex = DigestUtil.hex(password);
|
// 用户存在但密码错误,超过次数则锁定账号
|
if (grantType != null && !grantType.equals(TokenUtil.REFRESH_TOKEN_KEY) && !user.getPassword().equals(hex)) {
|
setFailCount(tenantId, username, count,strategy.getLockingTime());
|
throw new UsernameNotFoundException(TokenUtil.USER_NOT_FOUND);
|
}
|
// 用户角色不存在
|
if (Func.isEmpty(userInfo.getRoles())) {
|
throw new UserDeniedAuthorizationException(TokenUtil.USER_HAS_NO_ROLE);
|
}
|
// 多部门情况下指定单部门
|
if (Func.isNotEmpty(headerDept) && user.getDeptId().contains(headerDept)) {
|
user.setDeptId(headerDept);
|
}
|
// 多角色情况下指定单角色
|
if (Func.isNotEmpty(headerRole) && user.getRoleId().contains(headerRole)) {
|
R<List<String>> roleResult = sysClient.getRoleAliases(headerRole);
|
if (roleResult.isSuccess()) {
|
userInfo.setRoles(roleResult.getData());
|
}
|
user.setRoleId(headerRole);
|
}
|
// 成功则清除登录错误次数
|
delFailCount(tenantId, username);
|
//填充用户信息到用户信息扩展类
|
BladeUserDetails bladeUserDetails = new BladeUserDetails(user.getId(),
|
user.getTenantId(), StringPool.EMPTY, user.getName(), user.getRealName(), user.getDeptId(), user.getPostId(), user.getRoleId(), Func.join(userInfo.getRoles()), Func.toStr(user.getAvatar(), TokenUtil.DEFAULT_AVATAR),
|
username, AuthConstant.ENCRYPT + user.getPassword(), userInfo.getDetail(),user.getSecretGrade(), true, true, true, true,
|
AuthorityUtils.commaSeparatedStringToAuthorityList(Func.join(result.getData().getRoles())),user.getStrategyUpdateStatus(),tenant.getData().getTenantName(),user.getDeptName(),user.getEmail());
|
return bladeUserDetails;
|
} else {
|
throw new UsernameNotFoundException(result.getMsg());
|
}
|
}
|
}
|
|
/**
|
* 获取客户端ip,客户端可能经过代理,也可能没经过代理
|
* 如开启虚拟机的情况也可能导致获取到的是虚拟机的ip
|
* @param request
|
* @return
|
*/
|
public static String getIpAddress(HttpServletRequest request){
|
String ip = request.getHeader("x-forwarded-for");
|
if (ip != null && ip.length() != 0 && !"unknown".equalsIgnoreCase(ip)) {
|
// 多次反向代理后会有多个ip值,第一个ip才是真实ip
|
ip = ip.split(",")[0];
|
}
|
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
|
ip = request.getHeader("Proxy-Client-IP");
|
System.out.println("Proxy-Client-IP"+ip);
|
}
|
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
|
ip = request.getHeader("WL-Proxy-Client-IP");
|
System.out.println("WL-Proxy-Client-IP"+ip);
|
}
|
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
|
ip = request.getHeader("HTTP_CLIENT_IP");
|
System.out.println("HTTP_CLIENT_IP"+ip);
|
}
|
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
|
ip = request.getHeader("HTTP_X_FORWARDED_FOR");
|
System.out.println("HTTP_X_FORWARDED_FOR"+ip);
|
}
|
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
|
ip = request.getHeader("X-Real-IP");
|
System.out.println("X-Real-IP"+ip);
|
}
|
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
|
ip = request.getRemoteAddr();
|
System.out.println("getRemoteAddr"+ip);
|
}
|
//如果没取到ip,返回""
|
if (ip == null || ip.length() == 0 || "unknown".equalsIgnoreCase(ip)) {
|
ip = "";
|
}
|
return ip;
|
}
|
|
/**
|
* 获取账号错误次数
|
*
|
* @param tenantId 租户id
|
* @param username 账号
|
* @return int
|
*/
|
private int getFailCount(String tenantId, String username) {
|
return Func.toInt(bladeRedis.get(CacheNames.tenantKey(tenantId, CacheNames.USER_FAIL_KEY, username)), 0);
|
}
|
|
/**
|
* 设置账号错误次数
|
*
|
* @param tenantId 租户id
|
* @param username 账号
|
* @param count 次数
|
*/
|
private void setFailCount(String tenantId, String username, int count, Long expir) {
|
bladeRedis.setEx(CacheNames.tenantKey(tenantId, CacheNames.USER_FAIL_KEY, username), count + 1, Duration.ofMinutes(expir));
|
}
|
|
/**
|
* 清空账号错误次数
|
*
|
* @param tenantId 租户id
|
* @param username 账号
|
*/
|
private void delFailCount(String tenantId, String username) {
|
bladeRedis.del(CacheNames.tenantKey(tenantId, CacheNames.USER_FAIL_KEY, username));
|
}
|
|
/**
|
* 校验refreshToken合法性
|
*
|
* @param grantType 认证类型
|
* @param request 请求
|
*/
|
private boolean judgeRefreshToken(String grantType, HttpServletRequest request) {
|
if (jwtProperties.getState() && jwtProperties.getSingle() && StringUtil.equals(grantType, TokenUtil.REFRESH_TOKEN_KEY)) {
|
String refreshToken = request.getParameter(TokenUtil.REFRESH_TOKEN_KEY);
|
Claims claims = JwtUtil.parseJWT(refreshToken);
|
String tenantId = String.valueOf(claims.get("tenant_id"));
|
String userId = String.valueOf(claims.get("user_id"));
|
String token = JwtUtil.getRefreshToken(tenantId, userId, refreshToken);
|
return StringUtil.equalsIgnoreCase(token, refreshToken);
|
}
|
return true;
|
}
|
|
}
|
